Add a reusable iptables baseline that hardens hosts with ICMP + SSH defaults and lets deployments register the ports they need. INPUT is deny-by-default (loopback, established, ICMP, SSH on the configured port, plus registered ports); OUTPUT stays open and FORWARD is left untouched so Docker container networking is unaffected. Persistence is native -- no boot hook. Rules are saved and restored by the distro's own package (iptables/ip6tables on Alpine, iptables-persistent on Debian, iptables-services on Alma) via the new oslib helpers install_iptables / fw_save_cmd / fw_enable_restore. The saved ruleset carries the INPUT->sshguard jump, so brute-force protection survives reboot without the old sshguard-iptables hook. A self-contained /usr/local/sbin/firewall-apply rebuilds INPUT from declarative drop-ins under /etc/firewall/ports.d and runs the native save, so deployments add a port without needing the repo present: printf '80/tcp\n443/tcp\n' > /etc/firewall/ports.d/mystack.rule /usr/local/sbin/firewall-apply - SSH port read live from sshd_config (custom bastion ports just work); FW_SSH_SOURCE restricts the source CIDR; FW_ALLOW_PING gates echo - harden-ssh.sh / harden-jumphost.sh install it when ENABLE_FIREWALL=1 (default) and skip the sshguard-only hook; ENABLE_FIREWALL=0 keeps it - cloud-init base.yml / jumphost.yml forward the toggle - the four stack deploy.sh open_web_ports() register 80/443 via the firewall (ufw/firewalld kept as fallback); Docker-published ports bypass INPUT, so this is belt-and-braces and self-documenting - README + cloud-init/README document the mechanism, Docker caveat, and the `disable` recovery path
pocket-id
Pocket-ID OIDC provider behind Caddy, with an optional Anubis proof-of-work anti-bot gate. The identity provider for the other stacks (headscale, beszel, webfinger).
Required .env values
| Variable | Notes |
|---|---|
POCKETID_DOMAIN |
Public hostname (e.g. id.example.com). |
ACME_EMAIL |
Let's Encrypt registration email. |
ENCRYPTION_KEY |
Generated on first deploy (openssl rand -base64 32). Losing it is unrecoverable. |
ANUBIS_PID_KEY |
Generated on first deploy (openssl rand -hex 32). |
MAXMIND_LICENSE_KEY (audit-log geolocation) is optional. See
.env.example for the full list.
Optional WebFinger: set BASE_DOMAIN (and REDIRECT_URL) to have this
Caddy also serve /.well-known/webfinger at the apex — useful when the base
domain has no other web server. Leave both blank to run pocket-id only and use
the dedicated webfinger deployment instead.
Deploy
From the repo root via the launcher:
./automations.sh # Deploy on this host → deploy: pocket-id
Or build the self-contained artifact and run it on the host:
./build.sh # embeds files into deploy.sh
scp deploy.sh root@host: # copy to the target
ssh root@host 'bash deploy.sh' # interactive
# non-interactive:
# POCKETID_DOMAIN=id.example.com ACME_EMAIL=me@example.com SKIP_PROMPTS=1 bash deploy.sh
Unattended provisioning: cloud-init.yml.
DNS for POCKETID_DOMAIN must resolve to the host and ports 80/443 be
reachable before deploy, or the LE cert request fails.